Late last month, global distributed denial of service (DDoS) protection provider Cloudflare announced that it would no longer charge customers extra when they were under attack. The company claims to have nearly 10 million customers and a presence in 117 cities around the world, with enough capacity to handle more than 15 terabits of traffic per second. It provides DDoS protection to enterprises, small businesses, and even personal websites. The company also works with a number of large data center providers.

The unlimited DDoS billing was rolled out to all its customers, including those getting the free version of the service, said Matthew Prince, CEO at Cloudflare, Inc. "We finally got to the point where we think we have so much scale, and can deliver our service more efficiently, that we're waiving surge pricing for all our plans," he said.

Surge pricing too often meant that smaller companies found themselves with either high bills they couldn’t afford or no services because they exceeded their contracted maximum volume. Cloudflare is not the first DDoS protection provider to offer unmetered pricing, but its decision might signal the end of the practice. That would have a significant effect on limiting damage from DDoS attacks.

Why unmetered DDoS protection will be standard

Protecting small websites benefits everyone, Prince said, because it can help Cloudflare identify attacks and stop them as close to the source as possible. "Even low-end customers help contribute to the overall knowledge," he said. Prince expects other DDoS protection providers to follow suit. "What I think will happen is this will become the industry standard," he said.

That's good news for customers. "The last thing you want is an unpredictable cost model that can fluctuate depending on the attack size," said the director of security operations at a 25-year-old private equity firm. "The focus should be on effective defense strategy, not the uncertainty of a fluid billing model."

For some companies, having DDoS protection in place is part of their business model. "We viewed it as an investment in good customer service, given the prevalence of such attacks," said Paul Mazzucco, CSO at TierPoint, LLC, a data center service provider. For the past few months, the company has been providing DDoS protection at no extra charge, regardless of the size of the attacks.

TierPoint is getting its DDoS protection through Radware Ltd., which bills based on the amount of legitimate traffic that a company gets. "Our pricing is not bound by an attack size they may face," said Carl Herberger, the company's VP of security solutions.

Similarly, Neustar, Inc. charges customer for clean traffic. "Becoming a victim of a DDoS attack is never a choice made by a customer," said Joe Loveless, the company's director of product marketing. "Being online means being susceptible to attack."

Metered DDoS pricing used to be more common, said Theresa Abbamondi, director of product management for Arbor Cloud and Services at Arbor Networks, Inc. That created a risk for customers, she said. Arbor has been pricing based on clean traffic when it launched its service four years ago, one of the first vendors to do so. "Most of the purpose-build anti-DDoS vendors quickly moved to this type of clean traffic pricing model, and it became the standard in the high end of the market," she said.

"Among vendors like Cloudflare, who sell DDoS as an add-on service to a customer base more interested in the vendor’s core offerings, it’s still common today to see vendors limiting the total bandwidth of traffic they will scrub, blackholing traffic that exceeds that threshold, or hitting the customer with exorbitant, hidden fees," said Abbamondi. Cloudflare's new pricing is a game changer for that segment of the DDoS protection market, she said, "but is now in-line with the broader market."

Joseph Blankenship, analyst at Forrester Research, Inc., agrees with that assessment. “Many standalone DDoS protection services already provide unmetered mitigation as part of their service plans," he said. "What we will likely see going forward is other service providers adding DDoS protection as part of a bundled service offering."

DDoS attacks to continue as tactics shift

That doesn't mean that DDoS attacks are on their way out, he said, since attackers are constantly looking for new ways to do damage. For example, attackers can go after specific web applications.

That's already happening, said Radware's Herberger. "Hackers today rely less on large-scale volumetric DDoS attack and have moved toward more sophisticated and non-volume attack vectors, which can have a devastating impact with a small footprint," he said.

Some services or Internet service providers (ISPs) may not be able to cope if at attack continues for a long period of time. "When a particularly large and sustained attack threatens to exceed the 95th percentile, which is the way all ISPs bills for bandwidth, of the committed bandwidth, this cost will be passed on to the victim, or more simply, their service will be suspended," said Donny Chong, product director for Nexusguard Ltd.

Chong said that Nexusguard picks up the costs of any portion overage, "without the fine print. We believe that the nature of a DDoS protection service should be absolute," he said. "To do so with caveats and surprise fees defeats the principle of offering the service to the businesses that needs it in the first place."

The company's billing policy even applies to increases in regular business traffic. "Nexusguard's flat and un-metered service ensures no surprise overage bills, be it a DDoS attack or a seasonal surge in legitimate requests or DNS queries," said the CIO of an ecommerce company that uses Nexusguard for DDoS protection.

DDoS attacks have been in the news recently, most notably with the Mirai botnet attack that took down Dyn last fall. Attacks are getting larger and target companies of all sizes.

According to Deloitte Global, the largest attacks in 2013 were 300 gigabits per second, and went up to 500 gigabits in 2015. Then, last year, two attacks that crossed the 1 terabit-per-second threshold.